Saturday, February 18, 2012

Identity propagation with OWSM

OWSM allows you to pass on the identity of the authenticated user to your OWSM protected web service ( thanks to OPSS ), this username can then be used by your service. This will work on one or between different WebLogic domains.
For example on the client side you can have an web application which uses ADF Security or Container security, the application calls an web service with the help of a ws proxy client or an ADF ws datacontrol. The web service can be a SOA Suite, OSB proxy or a JAX-WS service.
To make this work we need to use SAML policies, SAML allows us to do identity propagation, other policies won't work because you need to have the password of the authenticated user which you don't have.
Before I show you, how this works, you need to have a SAML OWSM environment, I already did this in this blogpost Do SAML with OWSM , in this I generated some keystores and configured OWSM  on all the WebLogic domains and deployed a web service which has the oracle server wss11_saml_token_with_message_protection_service_policy. In my case I used JAX-WS but it also works on SOA Suite and OSB. When you want to do this on different WebLogic domains then you need to make sure that the user identities exists on both domains ( or you can enable virtual users ).
On the client side which will be in this case an ADF Web Application which is protected by ADF Security. In this application I will use a ADF WS Datacontrol on which we will add the SAML client policy wss11_saml_token_with_message_protection_client_policy.

Create the ADF WS Datacontrol. Select the DataControls.dcx file and select the service in the Structure window.

 Click on "Define Web Service Security".


Select oracle/wss11_saml_token_with_message_protection_client_policy in the security Tab


Override Properties,
these settings will work on the SOA Suite server, if you want to use this on the saml server then you need to use www.amis.nl as saml.issuer.name and samlkey as keystore.recipient.alias.


Deploy the application to the WebLogic Server and you are ready to go.

11 comments:

  1. Hello, Edwin.
    Can You give me a counsil about OWSM settings?
    I try use OWSM SAML-based policy: oracle/wss10_saml_token_service_policy or
    oracle/wss_saml_token_bearer_over_ssl_service_policy.
    Now I have a problem: my SAML token must contain "AudienceRestrictionCondition" element(tag), but I don't now how configure OWSM. I have error in log: "Caused By: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Audience URI for SAML assertion is invalid"
    I try go to policy page and add "saml.audience.uri" property, but it's no effect. How I can "granted" my AudienceURI value in OWSM?
    Thanks very match for any help

    ReplyDelete
  2. Hi,

    I would like to validate the calling user (from custom worklist web application in one weblogic domain) credentials at soa human task application(soa suite 11.1.1.5 in another weblogic domain). I believe I need to follow these steps

    1. Attach username token service policy at soa human task composite entry level
    2. Add the users in to weblogic users
    2. Use client type WorkflowServiceClientFactory.SOAP_CLIENT in my custom worklist application

    If this is the case then how do I construct the security header and attached to task along with payload when calling from worklist app?

    Is this the right approach? Appreciate your help.

    Thanks,
    CR

    ReplyDelete
    Replies
    1. Hi,

      I don't understand what you will be doing in your custom worklist app, in this web app your username will be automatically used and added in the humantask, when you claim or pass a outcome.

      on the bpel side you can read this information.

      thanks

      Delete
  3. Hi,

    Thanks for your reply.

    1. The custom worklist app contains classes which uses oracle worklist api to create the task, retrieve task details etc.
    2. This app converted as a jar and will be added in to my web application (an existing product) war file (in web-inf/lib location).
    3. User A log in to the Web App and creates a Task and assign it to User B. This action in the page calls worklist api and creates the task for another user (passed in the input along with other details) in SOA suite human task app.
    4. User B log in to the app and can see the assigned task details in a page. To do that on load of this page log in user details will be passed to worklist api class, which will retrieve the task details from soa suite.

    So I want to do the security check for the log in user of the web app at SOA Suite side before getting the task details.

    So what security approaches I can follow for the following scenarios.
    A If worklist uses SOAP client call?
    B If worklist uses EJB client call? (As soap call will be expensive for each call from worklist api to soa suite)

    I have following 2 environments where this flow is running.
    Weblogic-Oracle DB-SOA Suite
    Websphere-DB2-SOA Suite

    So my security approach should support for both environments.

    Appreciate your quick inputs.

    Thanks,
    CR

    ReplyDelete
    Replies
    1. Hi,

      When the humantask is assigned to user B , he is the only one who can claim it. So when acquire is successful you know it. And I think when you use the hw ejb client it automatically use the logged in user as subject in the ejb call.
      Maybe it also works in a java ws proxy client.

      thanks

      Delete
  4. Hi,

    Thanks for your inputs. Now my concern is SECURITY check for my requirement where only user credentials needs to be validated.
    1. Do I need to use SAML - for user validation at SOA Suite
    2. OR OWSM username token policy
    3. I believe as per one of your article, I have to use Domain Trust in case of remote client call
    4. Or any other approach

    Please suggest

    Thanks,
    CR

    ReplyDelete
    Replies
    1. Hi,

      When you two domains you can't validate it twice. saml and domain trust al depends on trust. domain 1 validates and domain 2 accepts this.

      you should store the password or ask the password again on the web service. You should not do that.

      thanks

      Delete
  5. Hi Edwin,

    In your example you use the policy "oracle/wss11_saml_token_with_message_protection_service_policy" to configure identity switching, but is it possible to configure identity switching using the "oracle/wss10_saml_token_with_message_integrity_client_policy" policy?? That is, SAML without encryption.

    / Chris

    ReplyDelete
    Replies
    1. Hi,

      I think so when you use the matching server policy. it's more about the saml token

      thanks

      Delete
  6. Hi Biemond,

    I want to integrate OWSM 11g with OAM. Do you have any blogs on that? That will be of great help.

    Thanks,
    Susmit

    ReplyDelete
  7. Hi Edwin,
    I have a basic question regarding SAML policy.
    I have a OSB proxy with policy "wss11_saml_token_with_message_protection_service_policy" which I am invoking from a J2SE standalone WS client with policy "wss11_saml_token_with_message_protection_client_policy".
    In client I have provided username, keystores and relevent everything and it works well. however I don't understand the concept behind this.
    my question is - as far as I know to get SAML token it needs to be authenticated first in an identity store. I am using username defined in weblogic default realm. but Where does that authN happen with weblogic. even it doesn't need password ? and OSB proxy gets encrypted data. I understand encryption is done by private key. but when the user is authenticated ? or the policies I have applied are only for encryption ? if that is the case why username is mandatory. Appreciate your response.

    ReplyDelete